Re: Rule Load Formula

Turbosnort.com is probably what you were thinking about. By the vigilant
minds guys.

Load has to consider traffic patterns, which this doesn't. Although it
is *some* measure of performance. I use them here and there when unsure.

Matt

Gentoo-Wally wrote:
> My math is not so good so... j/k
> 
> Isn't there a site somewhere where you can copy a rule into it and it
> would test it for performance?
> 
> Wally
> 
> On 1/11/07, Martin Holste 
> <martin.holste-Re5JQEeQqe8AvxtiuMwx3w@xxxxxxxxxxxxxxxx> wrote:
>> It seems to me that it should be possible to create a somewhat simple
>> (or at least straightforward) formula for how much effort it takes to
>> process a given rule.  It could be as simple as a unit of snort
>> processing so that rule comparisons can be made, though not translated
>> directly to actual CPU cycles or other measurable real-world events.
>>
>> I'm not sure if benchmarking or code-analysis (or some combination)
>> would prove the most accurate.  Obviously, different
>> compiling/architecture options affect Snort's performance, but it
>> seems to me that a theoretical performance formula is tangible based
>> on the source code.  I also think that it would be fair to assume that
>> the ac-bnfa matching algorithm is used, since it is destined to be the
>> default.
>>
>> So, to that end, do you think this mailling list could put together
>> something to start a list of values where an oink = 1 unit of Snort
>> processing load.  Even estimated values would be helpful.
>>
>> Matching    Oinks
>> content        x (per char)
>> pcre        x (per char)
>> rawbytes    x (per char)
>> uricontent    x (per char)
>> isdataat    x
>> byte_test    x
>> byte_jump    x
>> ftpbounce    x
>> regex        x (per char)
>>
>> Modifiers    Oinks
>> nocase        x
>> depth        x
>> offset        x
>> distance    x
>> within        x
>>
>> Non-payload    Oinks
>> fragoffset    x
>> ttl        x
>> tos        x
>> id        x
>> ipopts        x
>> fragbits    x
>> dsize        x
>> flags        x
>> flow        x
>> flowbits    x
>> seq        x
>> ack        x
>> window        x
>> itype        x
>> icode        x
>> icmp_id        x
>> icmp_seq    x
>> rpc        x
>> ip_proto    x
>> sameip        x
>>
>> We'd then need to figure out multipliers for single/all ports and IP
>> filters as well as other miscellaneous additions to the formula.
>>
>> So, if something like this has been done, please point me to it, but I
>> was unable to Google anything like this, and I figured that with all
>> of the seasoned Snort vets on this list we ought to be able to come up
>> with something.
>>
>> --Martin
>> _______________________________________________
>> Bleeding-sigs mailing list
>> Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
>> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
>>
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs

-- 
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
765-807-3060 fax
http://www.bleedingthreats.net
--------------------------------------------

PGP: http://www.bleedingthreats.com/mattjonkman.asc